Edwards coordinates for elliptic curves, part 2 D. J. Bernstein - PDF document

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at Chicago (Joint work with Tanja Lange)

� � � � � � Cohen Schoof ECPC Lenstra ECM Miller Bosma Koblitz Goldwasser/Kilian ECC Chudnovsky/Chudnovsky Atkin ECPP

Elliptic-curve signatures p = 2 255 � 19. Standardize a prime Not too small; want hard ECDL! ��� for fast arithmetic. Close to 2 Standardize a “safe” elliptic curve E over F x 2 + y 2 = 1 + dx 2 y 2 p : d = 1 � 1 = 121666. where # E ( F q where q is prime. p ) = 8 p + 1) � # E ( F � prime. p ) = 4 2( (2005 Bernstein “Curve25519: new Diffie-Hellman speed records” y 2 = x 3 + 486662 x 2 + x ) as B 2 E ( F q . p ), order Standardize H . Standardize a “hash function”

� � Signer has 32-byte secret key n 2 0 ; 1 ; : : : ; 2 256 � 1 . Everyone knows signer’s 32-byte nB . public key: compressed m : To sign a message s ; generate a secret R = sB ; compute t = H ( R ; m ) s + n mod q ; compute m; compressed R ; t ). transmit ( m; compressed R ; t ): To verify ( tB = H ( R ; m ) R + nB . verify (first similar idea: 1985 ElGamal; many generalizations, variations; these choices: 2006 van Duin)

Bottleneck: Several types of elliptic-curve scalar multiplication. Generating key: n , given 256-bit integer B 2 E ( F nB . p ), compute fixed Generating signature: Same. Verifying signature: t , 256-bit h , given 256-bit B , variable R , fixed tB � hR . compute Similar bottleneck for ECDH: n , variable R , given 256-bit nR . compute

Optimizing scalar multiplication Crypto 1985, Miller, “Use of elliptic curves in cryptography”: Using division-polynomial nP given recursions can compute P “in 26 log 2 n multiplications”; but can do better! “It appears to be best to represent the points on the curve in the following form: Each point is represented by the triple x; y ; z ) which corresponds to the ( x=z 2 ; y =z 3 ).” point (

1986 Chudnovsky/Chudnovsky, “Sequences of numbers generated by addition in formal groups and new primality and factorization tests”: “The crucial problem becomes the choice of the model of an algebraic group variety, p where computations mod are the least time consuming.”

X = Z 2 ; Y = Z 3 ): For “traditional” ( Chudnovsky/Chudnovsky state explicit formulas using a 4 = � 3; 8 M for DBL if 16 M for ADD. “We suggest to write addition formulas involving X ; Y ; Z ; Z 2 ; Z 3 ).” ( a 4 = � 3; 14 M ADD. 9 M DBL if Also operation counts for X : Y : Z ) projective coordinates ( X = Z ; Y = Z ); representing ( Hessian curves; Jacobi quartics; Jacobi intersections.

Asiacrypt 1998, Cohen/Miyaji/Ono, “Efficient elliptic curve exponentiation using mixed coordinates”: X ; Y ; Z ; Z 2 ; Z 3 formulas 1. Faster than Chudnovsky/Chudnovsky! Z 2 ; Z 3 only Compute for points that will be added. 2. A new coordinate system; speedups in some cases. 3. A new inversion strategy. 4. The first serious analysis of parameter choices.

“Sliding windows” (1939 Brauer, improved by 1973 Thurber): nP popular method to compute P using very few additions, from subtractions, doublings. P ; 3 P ; 5 P ; 7 P . Precompute 2 n is even, recursively compute If n= 2) P and then double. ( n is odd, recursively compute If n � 1) P or ( n � 3) P or ( n � 5) P ( n � 7) P , whichever involves or ( the largest power of 2, and then � P or � 3 P or � 5 P or � 7 P . add

Why not 2 P ; 3 P ; 5 P ; : : : ; 15 P ? Or 2 P ; 3 P ; 5 P ; : : : ; 31 P ? w � 1) For 2 P ; 3 P ; 5 P ; : : : ; (2 P : w � 1 adds in precomputation; � 2 � 256 = ( w + 2) on average adds in main computation. Cohen/Miyaji/Ono introduce an option to speed up the adds: P , convert to affine, compute 2 P ; 4 P , convert, compute 3 P ; 7 P ; 8 P , convert, compute 5 etc.

Cohen/Miyaji/Ono analyze #adds carefully; account for different types of additions; analyze several different coordinate systems; and w , identify optimal choices of depending on I = M , for 160 bits, 192 bits, 224 bits. Example of results for 160 bits, = M = 0 : 8: assuming S Cohen/Miyaji/Ono recommend one method using “1610 : 2 M ” and one using “4 I + 1488 : 4 M .”

Subsequent improvements: 1. Faster addition/doubling formulas for old coordinates. Many sources; for survey see Explicit-Formulas Database. 2. Fast new coordinates: e.g. Edwards curves, extended Jacobi quartics, inverted Edwards coordinates. 3. “Fractional windows” and other addition-chain tweaks: e.g. 2 P ; 3 P ; 5 P ; 7 P ; 9 P ; 11 P ; 13 P . 4. More inversion strategies.

Asiacrypt 2007, Bernstein/Lange, “Faster addition and doubling on elliptic curves”: fast Edwards computations; comparison to other coordinates for scalar multiplication. Comparison unjustifiably assumed 2 P ; 3 P ; 5 P ; : : : ; 15 P ; ignored possibility of inversions. New, 2007 Bernstein/Lange, “Analysis and optimization of elliptic-curve single-scalar multiplication”: Much more comprehensive comparison.

“This paper is dedicated to Henri Cohen on the occasion of his sixtieth birthday.” Example of new results for 160-bit scalars: 1 I + 1495 : 8 M for Jacobian coordinates; 1 I + 1434 : 1 M a 4 = � 3; for Jacobian with 1287 : 8 M for inverted Edwards.

Could also use “Montgomery coordinates.” No fast additions, but fast differential additions P � Q; P ; Q 7! P + Q . (1986 Chudnovsky/Chudnovsky; independently 1987 Montgomery with faster formulas) P 7! nP using 8 : 2 M per bit. Conventional wisdom: Faster than Jacobian; therefore the fastest method.

Our prediction: Edwards will be faster than Montgomery for cryptographic applications. Larger advantage with larger scalars. Much larger advantage mP + nQ . with more scalars: Need to account carefully for differences between simple multiplication counts and real software speeds. In progress: implementation.

Double-base chains Are triplings useful for scalar multiplication? nP as sum of Can write a b i 3 i P i 2 very few points � 1. i = with But need many doublings, triplings to compute those points. Asiacrypt 2005, Dimitrov/Imbert/Mishra: Require a 0 � a 1 � � � � and b 0 � b 1 � � � � . a 0 doublings, b 0 triplings. Only But need more points.

Indocrypt 2006, Doche/Imbert: Use precomputation to expand i ’s. Fewer points. range of Indocrypt 2007, Bernstein/Birkner/Lange/Peters: Analysis of double-base single-scalar multiplication with various doubling/tripling ratios, various coordinate systems, various addition formulas (including new tripling formulas for Edwards curves), etc.

Basic conclusions: Triplings help Jacobian coordinates, Hessian curves, and tripling- oriented Doche/Icart/Kohel. But the best resulting speeds are still slower than pure-doubling Edwards. Analysis assumes 0 inversions. In progress: expand analysis for more inversion strategies. “Grand unified optimization.” : : : And then more scalars

Many-scalar multiplication Batch verification of many t B � h R S i i i = i : check P P P v t B � v h R � v S i i i i i i i i i i v i . = 0 for random 128-bit (Naccache et al., Eurocrypt 1994; Bellare et al., Eurocrypt 1998) Also encounter many scalars nB as in computing n 0 B + n 1 2 16 B + � � � B etc. using precomputed 2 16

Use subtractive multi-scalar multiplication algorithm: n 1 � n 2 � � � � then if n 1 P 1 + n 2 P 2 + n 3 P 3 + � � � = n 1 � q n 2 ) P 1 + n 2 ( q P 1 + P 2 ) + ( n 3 P 3 + � � � where q = b n 1 =n 2 . (credited to Bos and Coster by de Rooij, Eurocrypt 1994; see also tweaks by Wei Dai, 2007) Addition speed is critical. Inverted Edwards coordinates: 9 M + 1 S , speed record.

Elliptic-curve factorization Bernstein/Birkner/Lange/Peters, in progress: Edwards ECM. First-stage ECM analysis: similar to ECC analysis. Can use larger scalars, increasing the advantage of Edwards over Montgomery. Second stage: more complicated. Also some improvements in curve selection.

Elliptic-curve primality proving n prime? Maybe. Is Want computation k P in E ( Z =n ) of k P = 0 in E ( Z =p ) to prove that p of n ; for every prime divisor n is prime. use this to prove that E ( Z =n ) Proper definition of achieves this, but also requires many invertibility tests, each costing at least 1 M and extra implementation effort.

For simplicity and speed, current ECPP software omits various tests. Bernstein question to Morain: “Do the resulting computations actually prove primality?”

For simplicity and speed, current ECPP software omits various tests. Bernstein question to Morain: “Do the resulting computations actually prove primality?” Morain answer to Bernstein: “Feel free to look for a non-prime counterexample.” Disclaimer: There is no evidence that this conversation took place.

Often ECPP uses curves that can be transformed to Montgomery, Edwards, etc. ! 1 as n ! 1 ?) (Chance With detailed case analysis can eliminate tests for zero from a Montgomery-style ECPP. (2006 Bernstein) Bernstein/Lange, with Jonas Lindstrøm Jensen, in progress: Aiming for simpler, faster ECPP using Edwards.